1. Field of the Invention
The present invention relates to a firewall device, and in particular to a firewall device protecting a specific network against an attack from an external network.
2. Description of the Related Art
FIG. 21 shows an arrangement of a general network, which is composed of the Internet/intranet 400, a firewall device 100x connected to the Internet/intranet 400, a client (or a site manager) 200_1, clients 200_2-200_4 (hereinafter, occasionally represented by a reference numeral 200), and a server 300 connected to the Internet/intranet 400 through the firewall device 100x. A site 310 within the server 300 accommodates contents 301_1-301—n (hereinafter, occasionally represented by a reference numeral 301).
Services of the site 310 are provided to the client 200 from the server 300 through the Internet/intranet 400 and the firewall device 100. Similarly, the site manager 200_1 manages the site 310 on the server 300 through the Internet/intranet 400 and the firewall device 100.
The firewall device 100 is for defending an attack against the site 310. Namely, when the content 301 is disclosed to an indefinite number of clients 200, the firewall device 100 protects the content 301 within the server 300 against a mala fide (or a malicious) client 200—x (not shown). It is to be noted that the firewall device 100 is also called a Web application firewall device (WAF) 100x. 
FIG. 22 shows an arrangement of the prior art firewall device 100x, which is composed of a client side transceiver 10x, a filtering object identifying portion 20x, a filtering processor 60x, and a server side transceiver 70x. 
FIG. 23 shows a general filtering example of the firewall device 100x, which performs filtering to a frame 700a received from e.g. the mala fide client 200—x and transmits a frame 700b which is a result of the filtering to the server 300.
FIG. 24 shows an operation procedure example of the filtering in FIG. 23. Hereinafter, the operation procedure of the filtering will be described referring to FIGS. 22-24.
In FIG. 23, the device 100x receives the frame 700a from the mala fide client 200—x. The data in the frame 700a is e.g. . . . <script> alert(‘test’) </script> . . . .
Steps S800 and S810: In the device 100x (see FIG. 22), the client side transceiver 10x receives the frame 700a to be provided to the filtering object identifying portion 20x. The filtering object identifying portion 20x scans the data ( . . . <script>alert(‘test’)</script> . . . ) of the frame 700a to determine whether or not it includes an attack pattern.
Steps S810 and S830: When the attack pattern is not included, the filtering object identifying portion 20x provides the frame 700a to the server side transceiver 70x. 
Steps S810 and S820: In the presence of a specific pattern used for an attack, e.g. HTML tag (<script>, </script>), the filtering object identifying portion 20x provides the frame 700a to the filtering processor 60x. 
The filtering processor 60x replaces a left bracket “<” and right bracket “>” respectively indicating an HTML tag by other characters “&lt;” and “&gt;”, and provides the frame 700b including sanitized data ( . . . &lt; script&gt; alert(‘test’)&lt; /script&gt; . . . ) to the server side transceiver 70x (see step T0 in FIG. 23). It is to be noted that when the specific pattern used for an attack is included, the filtering object identifying portion 20x may interrupt communications to the client 200—x, which is not shown.
Step S830: The server side transceiver 70x transmits the frame 700a or frame 700b received to the server 300.
Thus, the firewall device 100x performs a pattern detection and a defense targeting Cross Site Scripting (XSS), SQL (Structured Query Language) injection, or the like which is an attack for an application layer. As for the XSS attack, the application on the server 300 fails in removing a script included in an access request from the client 200—x, so that there is a vulnerability of responding in the form of a response including the above-mentioned script to the client 200. With this vulnerability, the mala fide client 200—x can make a browser of the third party read an unauthorized script to execute the unauthorized script.
When a source code of the script is included in a GET/POST message of an HTTP request from the client in the case of a defense against the XSS attack, the data is discarded or the attack is sanitized by escaping keywords. Hereinafter, both of “discarding” and “sanitizing” functions will be called “filtering”. By this filtering, it is possible to prevent the mala fide client 200—x from uploading abnormal data including an unauthorized script or the like to the server 300.
Similarly, as for the SQL injection attack, the execution of an unauthorized SQL syntax can be also prevented by the filtering.
However, the filtering may be unable to be performed in advance, when data from a user (client 200_2) is used as it is in the form of an input of a Web application like a web page retrieval service.
Therefore, in a firewall device (filtering device) 100y as mentioned in a patent document 1 noted below, when an access request is received and an unauthorized code which is harmless for the server 300 but harmful for the client 200 is included in the access request, this unauthorized code (attack pattern) is stored. When an access response for the access request is received and the unauthorized code stored remains in the access response, the firewall device 100x removes the unauthorized code from the access response.    [Patent document 1] Japanese Patent Application Laid-open No. 2005-092564 (page 4, FIG. 1)
Since the discrimination of a malicious (or mala fide) code is difficult in the prior art firewall device 100x and the filtering device 100y, the filtering has been performed to all of the traffic matched with the attack pattern (filtering object data pattern). Namely, in the prior art firewall device 100x and the filtering device 100y, even when an unmalicious source device, e.g. the site manager 200_1 updates a Blog/message board in the site 310 by using GET/POST of the HTTP, unnecessary filtering is to be executed. Thus, while the security is made high, there is a problem that convenience for the site manager 200_1 and service quality are reduced.